feat: create service accounts with same claims as parent (#13357)

allow claims from LDAP/OIDC to be inherited to service accounts as well to allow dynamic policies. fixes #13325
2025-10-29 15:55:00 -04:00 · 2021-10-05 11:49:33 -07:00 · 2021-10-05 11:49:33 -07:00 · d7cb6de820
commit d7cb6de820
parent 3d5750f31c
2 changed files with 16 additions and 15 deletions
--- a/cmd/admin-handlers-users.go
+++ b/cmd/admin-handlers-users.go
@ -532,6 +532,7 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
 	opts := newServiceAccountOpts{
 		accessKey: createReq.AccessKey,
 		secretKey: createReq.SecretKey,
+		claims:    make(map[string]interface{}),
 	}

 	// Find the user for the request sender (as it may be sent via a service
@ -565,16 +566,13 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
 		}
 		targetGroups = requestorGroups

-		// In case of LDAP we need to set `opts.ldapUsername` to ensure
-		// it is associated with the LDAP user properly. We _only_ do
-		// this if this user is in LDAP (the other possibility is the
-		// root user).
-		if globalLDAPConfig.Enabled {
-			v1, ok1 := cred.Claims[ldapUserN]
-			v2, ok2 := v1.(string)
-			if ok1 && ok2 {
-				opts.ldapUsername = v2
+		// In case of LDAP/OIDC we need to set `opts.claims` to ensure
+		// it is associated with the LDAP/OIDC user properly.
+		for k, v := range cred.Claims {
+			if k == expClaim {
+				continue
 			}
+			opts.claims[k] = v
 		}
 	} else {
 		// Need permission if we are creating a service acccount for a
@ -593,12 +591,13 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
 		// In case of LDAP we need to resolve the targetUser to a DN and
 		// query their groups:
 		if globalLDAPConfig.Enabled {
-			opts.ldapUsername = targetUser
+			opts.claims[ldapUserN] = targetUser // simple username
 			targetUser, targetGroups, err = globalLDAPConfig.LookupUserDN(targetUser)
 			if err != nil {
 				writeErrorResponseJSON(ctx, w, toAdminAPIErr(ctx, err), r.URL)
 				return
 			}
+			opts.claims[ldapUser] = targetUser // username DN
 		}

 		// NOTE: if not using LDAP, then internal IDP or open ID is
--- a/cmd/iam.go
+++ b/cmd/iam.go
@ -1171,8 +1171,7 @@ type newServiceAccountOpts struct {
 	accessKey     string
 	secretKey     string

-	// LDAP username
-	ldapUsername string
+	claims map[string]interface{}
 }

 // NewServiceAccount - create a new service account
@ -1260,9 +1259,12 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro
 		m[iamPolicyClaimNameSA()] = "inherited-policy"
 	}

-	// For LDAP service account, save the ldap username in the metadata.
-	if opts.ldapUsername != "" {
-		m[ldapUserN] = opts.ldapUsername
+	// Add all the necessary claims for the service accounts.
+	for k, v := range opts.claims {
+		_, ok := m[k]
+		if !ok {
+			m[k] = v
+		}
 	}

 	var (